3 Answers
3

There's no reason whatsoever that an IIS server HAS to have more ports open to it than an apache server. Now in reality perhaps it would have more ports that you MAY wish to open between it and the servers behind it (AD etc.) but if you had front and rear interfaces you'd only open them on the rear anyway, making IIS just as capable of running with 80/443 on the front ports as apache.

As others have mentioned, one HTTP server (IIS/Apache) doesn't need any more ports open than the other. What they seem to be confusing / obfuscating is further down below the HTTP server. Windows joined to an Active Directory domain is very much reliant on DNS.

A diagram of where the servers are sitting in relation to any firewalls would help. It sounds like the web server is supposed to be public facing. If that's the case, is it in a DMZ?

I agree with the others, though. There should be no reason that you need to expose more than 80/443 to the public, in any situation.

Edit:
In your DMZ, if the Windows box has to be joined to an AD domain and there is no DC in the DMZ (which I'm guessing there isn't) then additional ports will need to be opened in order to communicate with DNS and AD.

Now, I'm not a *nix god but if there's any kind of central authentication happening for Apache I think that's also going to be the case. Maybe that has already been set up, though, and they are pushing more for using the existing configuration.

Bottom line: the statement that IIS needs additional ports open is simply not true. All of the underlying services MIGHT need to have more ports opened but it's completely dependent on how the web app will work and how it is managed. For straight HTTP services the std ports 80/443 are all that is needed.